Patch Analysis for January 2006

Microsoft reversed its original stance on releasing this patch next Tuesday and published it yesterday. As you should already be aware this patch addresses the highly publicized WMF vulnerability that caught Microsoft unawares due to irresponsible disclosure. The published workaround of disabling the Windows Picture and Fax Viewer (“regsvr32 %windir%\system32\shimgvw.dll”) has limited effectiveness since it only blocks attack vectors that depend on the viewer such as a *link* to a WMF file in an email or web page. My tests indicate the workaround does not address embedded WMF files in the above.

Bottom line: load this patch on workstations and terminal services servers that deliver end-user applications. As always, avoid browsing the web, reading email or other “user” activities while logged on interactively or via RDP to servers. Some organizations may delay loading this patch if they have a comprehensive anti-malware strategy that scans emails, files retrieved via internal web browsers and other vectors through which infected files can enter arrive on workstations. Ultimately this requires enabling the full Auto-Protect feature of Norton Antivirus and corresponding features in other AV products that enforce scanning of every file as it is opened.

This is a particularly bad vulnerability for workstations and any
computers where users browse the web or read HTML email or otherwise
view HTML content from untrusted or insecure sources. Attackers can
exploit this vulnerability by embedding a specially crafted web font
into HTML content and then waiting or maneuvering victims to view the
content. Most organizations will want to install this patch to
workstations and terminal services servers as soon as possible or
implement a workaround in which you configure Internet Explorer to
refrain from downloading embedded web fonts. This workaround will
affect the user experience for legitimate websites that use embedded web
fonts.

For a demonstration of the workaround and to compare how a web page with
embedded fonts looks with and without the font download enabled, follow
these steps. First open Internet Explorer and maneuver to
Tools\Internet Options\Security. Select the Internet Zone and then
click Custom Level. Scroll the Settings list till you find "Font
download" and select Prompt. Click OK twice. Now direct the browser tohttp://www.microsoft.com/typography/web/embedding/default.htm and click
on the links provided such as Typographic Ornament. IE will prompt you
to allow the font download or not. Try it both ways for a comparison.

You can centrally configure the "Font download" setting for all
workstations in your domain using Group Policy. Edit a group policy
object and explore User Configuration\Windows Settings\Internet Explorer
Maintenance\Security\Security Zones and Content Ratings.

Randy Franklin Smith's Complete Windows Security teaches you how to
leverage the largest operating system in the world to manage its
inherent weaknesses and defend against information security risks in
general using technology you already own.

This is another bad vulnerability that affects both workstations and
Exchange 5 and 2000 Servers. (Exchange Server 2003 is not affected.)
With this vulnerability the attacker sends a specially crafted email in
rich text format which overflows a buffer and causes arbitrary code to
run in the context of the server or user depending on where the attack
occurs. This is particularly bad since it can directly impact servers
and since it allows the attacker to take the offensive with direct,
targeted attacks instead of "bait-and-wait" attacks common to the recent
spate of graphics rendering engine attacks. Most organizations will
want to load this patch on all systems with Office 2000, XP or 2003.
Note that there are additional patches for Multilanguage Packs and
Multilingual User Interface Packs for Office. (See the bulletin for
more information on these packs.)

Some organizations may choose to block incoming application/ms-tnef MIME
type (aka rich text) emails as a viable workaround. Unfortunately the
only workarounds detailed in the bulletin assume the availability of ISA
Server 2000 or 2004. Your third-party e-mail filters may provide the
needed functionality.

See the bulletin for other vectors through which Outlook and Exchange
can be attacked with this vulnerability including X.400 and NNTP.

Interestingly, and no doubt because of this discovery coinciding so
closely with the end of security patch support for pre Exchange 2003
servers, Microsoft extended support till today for Exchange 5 and 2000
with this security update. No one likes to be forced into rolling out a
software developers latest upgrade but this exploit increases the
urgency to migrate to Exchange Server 2003 since one exploit for a given
product or feature area is often followed by more in the same area.

Bulletin

Exploit Types/Technologies Affected

System Types Affected

Exploit details public? / Being exploited?

Comprehensive, practical workaround available?

MS severity rating

Products Affected

Notes

Randy's recommendation

MS06-003

902412

Arbitrary code

/ Outlook, Exchange, Office

Workstations Terminal Servers Exchange Servers

No/No

No

Critical

Office 2000 Office XP Office 2003 Exchange 2000 Office 2002

This is another bad vulnerability that affects both workstations and Exchange 5 and 2000 Servers. (Exchange Server 2003 is not affected.

Most organizations will want to load this patch on all systems with Office 2000, XP or 2003. Note that there are additional patches for Multilanguage Packs and Multilingual User Interface Packs for Office.

This workaround will affect the user experience for legitimate websites that use embedded web fonts.

Most organizations will want to install this patch to workstations and terminal services servers as soon as possible or implement a workaround in which you configure Internet Explorer to refrain from downloading embedded web fonts.

"Really appreciate your patch observor. In the corporate
IT world, anything we can get our hands on that speeds the process of analyzing
threats and how they may or may not apply to our environments is a God-send.
Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the
table. There are so many sources of patch information which can be very specific
or surrounded by other stuff that it’s refreshing to get everything summarised
like this. The “Randy’s Recommendation” comment is useful starting point too.
Please keep up the good work."

- David A.

"Your Patch Observer is a very good tool in
making the decision whether to patch or not to patch. And also to patch asap or
to wait a while before patching. Also I do think the use of the table is realy
improving the readability of the provided information."